[Gnso-epdp-team] RrSG initial comment on SSAD Registrant user group

[Sarah Wyld]

Hello all,

The RrSG has significant concerns with the inclusion of Registrants as a
user group for the System for Standardized Disclosure of non-public gTLD
registration data, and strongly recommends that this group be removed
from the proposed list of users. We are curious as to the origin of
these proposed user groups, and suggest that instead of working through
this list we begin by reviewing the purposes for processing data
(Recommendation 1) and assessing the potential user group applicable to
each purpose.

Registrants already access their domains via their service provider
(registrar or reseller)’s system, as required under the RAA. Having
multiple interfaces to access the same information poses a significant
risk of inappropriate data exposure; this unnecessary and unbalanced
security risk is not compliant with data protection law. It also creates
a confusing user experience for the registrant. For example, if a
registrant uses the SSAD to review their domain data for the purpose of
confirming that it is accurate, they would still need to work with their
service provider to confirm that the data held in that system is also up
to date. 

The RrSG notes that a system used to access or disclose data is not also
a system to modify that data. The EPDP team definitions of access and
disclosure do not include any capability to modify the data, so this is
a new addition to the requirements not grounded in any previously
agreed-upon basis or definition. Modification of domains via the SSAD
could easily result in synchronization issues and security risks, where
the SSAD holds data that is different from what is in the registrar or
reseller’s platform, or an unauthorized party could modify and even
hijack a registered domain. This also represents a fundamental shift
from the system in place for the past twenty years: EPP is
one-directional, with data flowing from the reseller or registrar
through to the registry, so any functionality for updating domain data
would need to be created and implemented by thousands of service
providers worldwide.

We look forward to discussing this important concern at today’s EPDP
team call. Beyond these concerns about the “Registrants” group, we are
also uncertain that “end users” is a valid group; this and the other
groups should be discussed with the plenary team. 

-- 
Sarah Wyld
Domains Product Team
Tucows
+1.416 535 0123 Ext. 1392

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190606/42954b56/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20190606/42954b56/signature.asc>